If you had Slack on your “Next to get Hacked” Bingo card, go ahead and mark them off. Today, the official blog of the real-time messaging platform revealed that they’ve uncovered some unauthorized access to their databases.
Slack has outlined the following in regards to the breach:
- Slack maintains a central user database which includes user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, this database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
- Information contained in this user database was accessible to the hackers during this incident.
- We have no indication that the hackers were able to decrypt stored passwords, as Slack uses a one-way encryption technique called hashing.
- Slack’s hashing function is bcrypt with a randomly generated salt per-password which makes it computationally infeasible that your password could be recreated from the hashed form.
- Our investigation, which remains ongoing, has revealed that this unauthorized access took place during a period of approximately 4 days in February.
- No financial or payment information was accessed or compromised in this attack.
Considering the delay we’ve seen by some companies in reporting similar breaches, I applaud Slack for the relatively quick turnaround in this instance. Slack has also indicated that they have reached out to a small number of users that exhibited some suspicious activity on their accounts.
To try and combat this sort of event in the future, Slack has set up two-factor authorization, and have strongly suggested that all Slack users set it up. Slack has also suggested (as has Techaeris) that two-factor authentication be used anywhere it is available.
In addition, they’ve also provided new team owner controls in the form of a “Password Kill-Switch.” This will immediately log out all team members and prompt everybody to change their passwords.
Do you use Slack? Have you heard from them regarding suspicious activity on your account? Let us know in the comments, or on Google+, Facebook, or Twitter.Source: Slack HQ